Security
CSRF token
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. When this feature is enabled, a CSRF token is validated on each form submission to avoid CSRF attacks.
Please ensure your site's front-end is ready before enabling this feature. Please contact us for front-end implementation instructions.
XSS Protection header
X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. More information can be found here:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
X-Frame-Options header
X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a<frame>
,<iframe>
,<embed>
or <object>
. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites. More information can be found here:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
Content Type Options header
X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed. This allows to opt-out of MIME type sniffing, or, in other words, it is a way to say that the webmasters knew what they were doing. More information can be found here:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
Enable Content-Security-Policy header
The HTTP Content-Security-Policy response header allows web site administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks (XSS). More information can be found here:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
Please make sure you set the Content-Security-Policy value before you enable it.
Content-Security-Policy value
The Content-Security-Policy value relates to a list of external domains your site needs to reach.
Disable contact form
Enabling this feature will disable all contact forms. This is useful in cases of a spam attack.
Encrypted contact form email
This function enables you to send asynchronous emails from contact forms published on your website. You will need assistance from your Kooomo representative to enable the function and a Front-End developer to add the following code to your contact form.
Front-end guide to deploy encrypted contact form
Google Captcha Configuration
Registration Page
Enables Google Captcha on the Registration page. Please contact us for front-end implementation instructions.
Login Page
Enables Google Captcha on login page. Please contact us for front-end implementation instructions.
Contact Us page
Enables Google Captcha on Contact Us page. Please contact us for front-end implementation instructions.
Landing Page Forms
Enables Google Captcha on landing page forms. Please contact us for front-end implementation instructions.
Wishlist
Enables Google Captcha on wishlist page. Please contact us for front-end implementation instructions.